Pages

Tuesday, October 22, 2013

# mkdir /usr/local/lynisDownload stable version of Lynis source files from the trusted website using wget command and unpack it using tar command as shown below.# cd /usr/local/lynis# wget http://www.rootkit.nl/files/lynis-1.3.0.tar.gz# tar -xvf lynis-1.3.0.tar.gzRunning and Using Lynis BasicsYou must be root user to run Lynis, because it creates and writes output to /var/log/lynis.log file. To run Lynis execute the following command.# cd lynis-1.3.0# ./lynis

Friday, October 18, 2013

Name

limits.conf - configuration file for the pam_limits module

Description

The pam_limits.so module applies ulimit limits, nice priority and number of simultaneous login sessions limit to user login sessions. This description of the configuration file syntax applies to the /etc/security/limits.conf file and *.conf files in the /etc/security/limits.d directory.

The syntax of the lines is as follows:

<domain> <type> <item> <value>

The fields listed above should be filled as follows:

<domain>

• a username

• a groupname, with @group syntax. This should not be confused with netgroups.

• the wildcard *, for default entry.

• the wildcard %, for maxlogins limit only, can also be used with %group syntax. If the % wildcard is used alone it is identical to using * with maxsyslogins limit. With a group specified after % it limits the total number of logins of all users that are member of the group.

• an uid range specified as <min_uid>:<max_uid>. If min_uid is omitted, the match is exact for the max_uid. If max_uid is omitted, all uids greater than or equal min_uid match.

• a gid range specified as @<min_gid>:<max_gid>. If min_gid is omitted, the match is exact for the max_gid. If max_gid is omitted, all gids greater than or equal min_gid match. For the exact match all groups including the user's supplementary groups are examined. For the range matches only the user's primary group is examined.

• a gid specified as %:<gid> applicable to maxlogins limit only. It limits the total number of logins of all users that are member of the group with the specified gid.

<type>

hard

for enforcing hard resource limits. These limits are set by the superuser and enforced by the Kernel. The user cannot raise his requirement of system resources above such values.

soft

for enforcing soft resource limits. These limits are ones that the user can move up or down within the permitted range by any pre-existing hard limits. The values specified with this token can be thought of as default values, for normal system usage.

-

for enforcing both soft and hard resource limits together.Note, if you specify a type of '-' but neglect to supply the item and value fields then the module will never enforce any limits on the specified user/group etc. .

<item>

core

limits the core file size (KB)

data

maximum data size (KB)

fsize

maximum filesize (KB)

memlock

maximum locked-in-memory address space (KB)

nofile

maximum number of open files

rss

maximum resident set size (KB) (Ignored in Linux 2.4.30 and higher)

stack

maximum stack size (KB)

cpu

maximum CPU time (minutes)

nproc

maximum number of processes

as

address space limit (KB)

maxlogins

maximum number of logins for this user except for this with uid=0

maxsyslogins

maximum number of all logins on system

priority

the priority to run user process with (negative values boost process priority)

All items support the values -1, unlimited or infinity indicating no limit, except for priority and nice.If a hard limit or soft limit of a resource is set to a valid value, but outside of the supported range of the local system, the system may reject the new limit or unexpected behavior may occur. If the control value required is used, the module will reject the login if a limit could not be set.

In general, individual limits have priority over group limits, so if you impose no limits for admin group, but one of the members in this group have a limits line, the user will have its limits set according to this line.

Also, please note that all limit settings are set per login. They are not global, nor are they permanent; existing only for the duration of the session.

In the limits configuration file, the '#' character introduces a comment - after which the rest of the line is ignored.

The pam_limits module does report configuration problems found in its configuration file and errors via syslog(3).

Examples

These are some example lines which might be specified in /etc/security/limits.conf.

A soft limit is like a warning and hard limit is a real max limit. For example, following will prevent anyone in the student group from having more than 50 processes, and a warning will be given at 30 processes.

@student hard nproc 50@student soft nproc 30

Hard limits are maintained by the kernel while the soft limits are enforced by the shell.

Syntax of the /etc/security/limits.conf file

The /etc/security/limits.conf file contains a list line where each line describes a limit for a user in the form of:

Sunday, October 13, 2013

Backing up MySQL database on restricted user account

I know that backing up databases is a job for a sysdamin. I know that I shouldn’t do that because I’m a stupid developer. I know that. I just couldn’t resist… And then I came across a strange error that sysadmin never encounters (you know… mysqldump -u root…). I couldn’t dump this db due to events error. So here is a quick solution for that.

iface eth0 inet6 staticaddress 2001:41d0:1:XXXX::1netmask 56gateway 2001:41d0:1:XXFF:FF:FF:FF:FFIf you want to have more than one IPv6 address add to second (inet6) definition of eth0 interface following lines.

If Terminal Services is already installed on the server, the Terminal Services check box will be selected and dimmed.Click Next.

On the Terminal Services page, click Next.

On the Select Role Services page, select the Terminal Server check box, and then click Next.noteNote

If you are installing the Terminal Server role service on a domain controller, you will receive a warning message because installing the Terminal Server role service on a domain controller is not recommended. For more information, see "Installing Terminal Server on a Domain Controller" in the Terminal Server Help in the Windows Server 2008 Technical Library (http://go.microsoft.com/fwlink/?linkid=109277).

On the Uninstall and Reinstall Applications for Compatibility page, click Next.

On the Specify Authentication Method for Terminal Server page, select the appropriate authentication method for the terminal server, and then click Next. For more information about authentication methods, see "Configure the Network Level Authentication Setting for a Terminal Server" in the Terminal Server Help in the Windows Server 2008 Technical Library (http://go.microsoft.com/fwlink/?linkid=109280).

On the Specify Licensing Mode page, select the appropriate licensing mode for the terminal server, and then click Next. For more information about licensing modes, see "Specify the Terminal Services Licensing Mode" in the Terminal Services Configuration Help in the Windows Server 2008 Technical Library (http://go.microsoft.com/fwlink/?linkid=101638).

On the Select User Groups Allowed Access To This Terminal Server page, add the users or user groups that you want to be able to remotely connect to this terminal server, and then click Next. For more information, see "Configure the Remote Desktop User Group" in the Terminal Server Help in the Windows Server 2008 Technical Library (http://go.microsoft.com/fwlink/?linkid=109278).On the Confirm Installation Selections page, verify that the Terminal Server role service will be installed, and then click Install.

On the Installation Progress page, installation progress will be noted.

On the Installation Results page, you are prompted to restart the server to finish the installation process. Click Close, and then click Yes

to restart the server.

If you are prompted that other programs are still running, do either of the following:

To close the programs manually and restart the server later, click Cancel.

To automatically close the programs and restart the server, click Restart now.

After the server restarts and you log on to the computer, the remaining steps of the installation will finish. When the Installation Results page appears, confirm that the installation of Terminal Server succeeded.You can also confirm that Terminal Server is installed by following these steps:Start Server Manager.

Under Roles Summary, click Terminal Services.

Under System Services, confirm that Terminal Services has a status of Running.

Under Role Services, confirm that Terminal Server has a status of Installed.

Installing Remote Desktop Services

Open the Server Manager and right-click on roles, select Add Roles from the context menu

Click next on the Before You Being page to bring up a list of Roles that can be installed, select Remote Desktop Services and click next

On the Introduction To Remote Desktop Services page click next, this will bring you to the Role Services page, select the Remote Desktop Session Host as well as the Remote Desktop Licensing Service and then click next.

When you get to the application compatibility page it tells you that you should install the Session Host Role before you install your applications, just click next as we have not yet installed our applications. You are then asked if you want to require NLA, this will only allow Windows clients to connect to the Remote Desktop Session Host Server, in addition they must be running a Remote Desktop Client that support Network Level Authentication. I will go ahead and require NLA and then click next

Now you have to choose a licensing method, most of you guys wont have Remote Desktop Client Access Licenses, so you can leave your option at Configure Later this will give you unlimited access to the Remote Desktop Server for 4 Months (120 Days). However, if you do have licenses here is some information help you make your choice:

Licensing Modes

The licenses you purchased can be used either as Per User or Per Device. It is purely up to you, however if you already have a RDS Licensing Server you will have to choose the same option you chose when importing the licenses originally.

RDS Per User CAL – This means that every user that connects to the RDS Server must have a license. The user is assigned the license rather than the devices that he/she connects to the server from. This mode is a good choice if your users want to connect from a lot of different computers or devices (iPad, Home PC, Laptop, Phone etc)

RDS Per Device CAL – If your users share a common workstation this is the mode for you, the license is given to the device rather than the users, this way many people can connect from a single device. However, if they try to connect from a different device they will not be able to since their user account doesn’t have a license.

I will leave mine at configure later and click next

Now you should specify who can connect to the Remote Desktop Server, I will just add my user account (Windows Geek), then click next

You are now given the option of making the RDS Server look and act more like Windows 7, this is to avoid users getting confused when they see the classic theme. I will enable the all the settings, it requires more bandwidth though, so take your network traffic into account before going click-happy and selecting everything. Once you have made your choice click next

Since we are running Server 2008 R2, we don’t need to specify a Discovery Scope so just click next again

Finally you can click on install.

Once installation is complete, reboot your server, when you log in the configuration will complete. That’s all there is to installing a Remote Desktop Server.

Activation

If you need to install your licenses you can do it through the RD Licensing Manager. You will need to activate the Server first though. I wont go through this, as it is self-explanatory.

Once you have installed you Licenses you will need to specify a license server for the RDS Session Host to use, to do this, open the RDS Session Host Configuration MMC

When the console opens double-click on the Remote Desktop license servers link.

Now you can specify your licensing mode and then hit the add button to specify a licensing server.

As I said before, you can skip this activation section and use Remote Desktop Services for 120 Days before you need to purchase a CAL. Once you have done this you will need to install your applications. However you cant just install them in any fashion you want, there is actually a special method for installing applications on a Remote Desktop Server.

Right Click on “Restrict each user to a single session” in the “Edit settings” section and choose “Properties“.

kb-multi-rd-session-2

Step 3

Uncheck the “Restrict each user to a single session” checkbox and Click OK.

kb-multi-rd-session-3

Step 4

Click OK for the window that opens.

kb-multi-rd-session-4

Step 5

You will need to log off and log back on for the changes to take effect.

You will now be able to connect to multiple Remote Desktop Sessions on the same user account.

Alternatively you can use this Registry .reg file to disable the setting above:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]"fSingleSessionPerUser"=dword:00000000If you need any further assistance, please do not hesitate to contact our Support Team available 24/7!

When setting up new servers, one of the first things to do is to make sure other machines can connect to. The easiest way to do that has typically been to use the ping command, which sends an Internet Control Message Protocol (ICMP) or Echo message to the remote machine. Due to security concerns, however, the Windows Firewall on Windows Server 2008 and Windows Server 2008 R2 is configured to disallow responses to these requests. Here is how to enable responses to these requests.Windows Firewall Control PanelDisplay the Windows Firewall control panel and click the Advanced settings link on the left.

Inbound Rules

Click on the Inbound Rules entry below the Windows Firewall with Advanced Settings entry in the left pane.

Echo Request RulesThere are two rules for echo requests, one called File and Printer Sharing (Echo Request – ICMPv4-In) and File and Printer Sharing (Echo Request – ICMPv6-In). You’ll find these in the contents pane on the right.

Enable the Rules

Right click on a rule and click on Enable.

Once the rule has been enabled, the icon will turn green and the value in the Enabled column will change from No to Yes.

Command Line ControlNote that Windows Server Core does not have any UI. You can use the following commands from a command prompt window to enable and disable the IPv4 rule:

If you have ever added multiple IP addresses to a single Windows server, going through the graphical interface is an incredible pain as each IP must be added manually, each in a new dialog box. Here’s a simple solution.

Needless to say, this can be incredibly monotonous and time consuming if you are adding more than a few IP addresses. Thankfully, there is a much easier way which allows you to add an entire subnet (or more) in seconds.

Adding an IP Address from the Command LineWindows includes the “netsh” command which allows you to configure just about any aspect of your network connections. If you view the accepted parameters using “netsh /?” you will be presented with a list of commands each which have their own list of commands (and so on). For the purpose of adding IP addresses, we are interested in this string of parameters:

netsh interface ipv4 add address

Note: For Windows Server 2003/XP and earlier, “ipv4″ should be replaced with just “ip” in the netsh command.

If you view the help information, you can see the full list of accepted parameters but for the most part what you will be interested in is something like this:

=================Go to Control Panel->Network Connections->Local Area Connection.Right-click on Properties.Select Internet Protocol (TCP/IP).Click Properties.Click Advanced.Click Add and add the new IP, with 255.255.255.0 as the subnet mask.

Open the server's Start menu and select Network.Double-click on the Network and Sharing Center icon.Click on the Change Adapter Settings link on the left.Right click on the icon representing your server's network card and select Properties from the menu that appears.Select Internet Protocol Version 4 (TCP/IPv4) and click the Properties button.Click the Advanced button.Click the Add button under the IP addresses section of the IP Settings tab.Enter the IP address and subnet mask 255.255.255.0 and click the Add button.Click the OK button to close the Advanced TCP/IP Settings window.Click the OK button to close the Internet Protocol Version 4 (TCP/IPv4) Properties window.Click the Close button to close out of the Local Area Connection Properties window.

Thursday, October 3, 2013

The find command searches for files, starting at a directory named on the command line. It looks for files that match whatever criteria you wish, such as all regular files, all files that end in .trash, or any file older than a particular date. When it finds a file that matches the criteria, it performs whatever task you specify, such as removing the file, printing the name of the file, changing the file's permissions, and so forth.

For example:

# find /usr -local -type f -mtime +60 -print > /usr/tmp/deadfiles &-mtime +60Says you are interested only in files that have not been modified in 60 days.As another example, you can use the find command to find files over 7 days old in the temporary directories and remove them. Use the following commands:

Tuesday, October 1, 2013

Install ncftp client

ncftp client software can be downloaded from http://www.ncftp.com/ncftp/ and works with FreeBSD, Solaris and all most all UNIX variant. You can also run command as follows to install ncftp:$ sudo apt-get install ncftp

FTP get directory recursively

ncftpget is Internet file transfer program for scripts and advance usage. You need to use command as follows:$ ncftpget –R –v –u "ftpuser" ftp.nixcraft.net /home/vivek/backup /www-dataWhere,